HOME Forums 📢 Announcements About the ‘Windows protected your PC’ warning (and our path to fixing it)

  • Author
    Posts
  • April 20, 2026 at 2:34 pm #139
    LXB Studio
    Keymaster

    ✅ Update — April 2026: ImageSmasher 1.0.2 installers are now code-signed by LXB Studio LLC with an RFC-3161 trusted timestamp. The post below describes the situation before signing was live, and remains here as a reference for anyone running 1.0.0 or 1.0.1.

    If you’re on 1.0.0 or 1.0.1: upgrade to 1.0.2 for the signed installer. You’ll need to re-enter your license key after upgrading (the new fingerprint algorithm invalidates older offline tokens — your activation count is not affected).

    About the Windows SmartScreen warning on first install

    When you install ImageSmasher for the first time, Windows probably showed you a blue screen that said “Windows protected your PC” with a Don’t run button and a smaller More info link. If you clicked around a little, you eventually found the Run anyway button hiding under that link.

    That’s not a bug, it’s not a virus, and it’s not going to stay that way forever. But you deserve a straight answer about what’s happening and why, so here it is.

    What SmartScreen is actually doing

    Windows SmartScreen is Microsoft’s reputation system for executables. When you run an installer, Windows checks two things:

    1. Is this file digitally signed? A signed file includes a cryptographic signature from a known publisher (verified by a certificate authority). Windows can confirm who made the file and that nobody modified it after signing.
    2. Does Microsoft recognize this publisher? Even signed software from brand-new publishers shows a warning until the publisher builds up enough install history for Microsoft to consider them trusted.

    ImageSmasher right now is unsigned. The warning you’re seeing isn’t “we detected something bad” — it’s “we don’t know who made this and we can’t verify it’s what the developer originally built.” Which is fair. It’s just the default posture for unknown software.

    Why we haven’t signed it yet (the honest answer)

    Code signing certificates for Windows went through a significant change in 2023. Microsoft now requires Extended Validation (EV) certificates for the fastest SmartScreen reputation gains, and EV certs require a physical USB hardware token shipped to the publisher. The combination of hardware token costs, annual renewals, and the still slow reputation-building process made it tough to justify as an independent developer.

    The good news: Microsoft launched Azure Trusted Signing in 2024 — a managed signing service that eliminates the hardware token requirement and gives publishers access to Microsoft’s own signing infrastructure. Setup takes a few weeks (business verification, identity checks, the works), and we’re in the middle of that process now.

    When it’s complete, every ImageSmasher release from that point forward will be signed, and the SmartScreen warning will go away for most users almost immediately. For the rest, it disappears as the signed publisher identity builds install history.

    How to verify your download is authentic in the meantime

    Fair question to ask: “How do I know the file I downloaded is actually the one LXB Studio published, and not something modified along the way?”

    Short answer: SHA-256 hashes. We publish the SHA-256 hash of every installer on the documentation page, in the Installer Verification section. The hash is a unique fingerprint of the exact bytes of the installer. If one bit is different, the hash is different.

    To check the file you downloaded, open PowerShell in the folder where the installer lives and run:

    Get-FileHash ImageSmasher_1.0.2_x64-setup.exe

    PowerShell will print a long hex string. Compare it character-by-character against the hash published on the docs page. If they match, you have the exact file we published. If they don’t match, don’t run it — something happened to it between our server and your disk, and you should download again (or tell us about it).

    This is the same verification method Linux distributions have used for decades. It’s not as convenient as a built-in Windows trust indicator, but it’s equally reliable — arguably more reliable, since you’re verifying the exact file instead of trusting a certificate chain.

    Is it safe to click “Run anyway”?

    If the SHA-256 hash matches, yes. You’ve verified the installer is the genuine file we published. The SmartScreen warning at that point is about an absent signature, not about detected malware. Defender will still scan the file for known threats regardless of signing status — signing doesn’t bypass antivirus, and antivirus doesn’t require signing.

    If the hash doesn’t match, no. Download the installer fresh from imagesmasher.com/download and verify again before running.

    What happens when signing goes live

    When Azure Trusted Signing setup wraps up:

    • New installers will carry a valid digital signature from LXB Studio LLC
    • The SmartScreen warning will be gone for most users on first install
    • Any Pro license you already have continues to work — nothing to re-activate
    • We’ll re-sign current installers where practical so even old download links get the benefit
    • The SHA-256 verification section stays on the docs page anyway, because why not — some users like it

    We’ll post an announcement in this forum section the moment it’s live.

    If you have any concerns

    Reply here, message us through the support page, or open a bug report thread. A real person (usually me) reads every one. If something about this feels off — an install didn’t verify, the warning looked different than described, anything — I’d rather know sooner than later.

    — Lance, LXB Studio

  • Author
    Posts
Viewing 1 post (of 1 total)
  • You must be logged in to reply to this topic.